|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RISK: The Consensus Security Vulnerability Alert Vol. 8 No. 22
From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Thu May 28 2009 - 17:33:57 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Apple QuickTime and Blackberry users have critical problems to deal with.
*************************************************************************
RISK: The Consensus Security Vulnerability Alert
May 28, 2009 Vol. 8. Week 22
*************************************************************************
RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).
Summary of Updates and Vulnerabilities in this Consensus
Platform Number of Updates and Vulnerabilities
- ------------------------ -------------------------------------
Third Party Windows Apps 4
Linux 1
Solaris 2
Aix 1
Novell 3 (#3)
Cross Platform 13 (#1, #2, #4, #5)
Web Application - Cross Site Scripting 11
Web Application - SQL Injection 16
Web Application 26
Network Device 1
******************** Sponsored By Sourcefire, Inc. **********************
Your Network Security Isn't Good Enough Anymore
Today's threats-and networks-are dynamic. Unfortunately most network
security systems are not.
Join Martin Roesch, Founder and CTO of Sourcefire(r) and Creator of
Snort(r), in a series of seminars, as he shows why network security must
include full network visibility, relevant context, and automated impact
assessment to be effective.
More information http://www.sans.org/info/44123
*************************************************************************
TRAINING UPDATE
- - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses)
http://www.sans.org/sansfire09/event.php
- - Pen Testing and Web Application Attack Summit - June 1-2
http://www.sans.org/pentesting09_summit
- - Rocky Mountain SANS, July 7-13 (6 full-length hands-on courses)
http://www.sans.org/rockymnt2009/event.php
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses)
https://www.sans.org/boston09/index.php
- - National Forensiscs Summit, July 6-14
http://www.sans.org/forensics09_summit/
Looking for training in your own community? http://sans.org/community/
Save 25% on all On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/spring09.php
Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and
Singapore all in the next 90 days. For a list of all upcoming events,
on-line and live: www.sans.org
*************************************************************************
Table Of Contents
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)
Widely Deployed Software
(1) CRITICAL: Apple QuickTime PICT Heap Overflow Vulnerability
(2) CRITICAL: BlackBerry Attachment Service PDF distiller Multiple Vulnerabilities
(3) HIGH: Novell GroupWise Multiple Vulnerabilities
(4) LOW: ImageMagick Integer Overflow Vulnerability
(5) LOW: CiscoWorks Common Services TFTP Directory Traversal Vulnerability
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)
-- Third Party Windows Apps
09.22.1 - Nullsoft Winamp "gen_ff.dll" Buffer Overflow
09.22.2 - Soulseek Distributed File Search Buffer Overflow
09.22.3 - SonicWALL Global VPN Client "RampartSvc" Local Privilege Escalation
09.22.4 - SonicWALL Global Security Client Local Privilege Escalation
-- Linux
09.22.5 - Red Hat Certificate System Agent Group Security Bypass
-- Solaris
09.22.6 - Sun Solaris Secure Digital Slot Driver (sdhost(7D)) Local Code Execution
09.22.7 - Sun Solaris "sadmind" Daemon Multiple Buffer Overflow Vulnerabilities
-- Aix
09.22.8 - IBM AIX "MALLOCDEBUG" File Overwrite
-- Novell
09.22.9 - Novell GroupWise Internet Agent Email Address Processing Buffer Overflow
09.22.10 - Novell GroupWise Internet Agent SMTP Request Processing Buffer Overflow
09.22.11 - Novell GroupWise WebAccess Multiple Security Vulnerabilities
-- Cross Platform
09.22.12 - CiscoWorks Common Services TFTP Server Directory Traversal
09.22.13 - Drupal Email Verification Module Cross-Site Scripting and Information Disclosure Vulnerabilities
09.22.14 - Pidgin Multiple Buffer Overflow Vulnerabilities
09.22.15 - Multiple Panda Products TAR/CAB Files Scan Evasion
09.22.16 - Serena Dimensions CM SSL Certificate Signature Verification
09.22.17 - IPFilter "ippool" "lib/load_http.c" Local Buffer Overflow
09.22.18 - Wireshark PCNFSD Dissector Denial of Service
09.22.19 - Open Handset Alliance Android Signature Validation Local Privilege Escalation
09.22.20 - SonicWALL Global VPN Client Log File Remote Format String
09.22.21 - Lighttpd Trailing Slash Information Disclosure
09.22.22 - Multiple ArcaBit ArcaVir Products Multiple IOCTL Request Local Privilege Escalation Vulnerabilities
09.22.23 - BlackBerry Attachment Service PDF Distiller Multiple Unspecified Security Vulnerabilities
09.22.24 - ImageMagick TIFF File Integer Overflow
-- Web Application - Cross Site Scripting
09.22.25 - Novell GroupWise WebAccess "gw/webacc" Multiple Cross-Site Scripting Vulnerabilities
09.22.26 - Steam "steam://" Cross-Site Scripting
09.22.27 - IPplan "grp" Parameter Cross-Site Scripting
09.22.28 - Kingsoft WebShield Cross-Site scripting and Remote Command Execution
09.22.29 - Catviz Multiple Local File Include and Cross-Site Scripting Vulnerabilities
09.22.30 - Sun Java System Communications Express "search.xml" Cross-Site Scripting
09.22.31 - Sun Java System Communications Express "UWCMain" Cross-Site Scripting
09.22.32 - Web Conference Room Free Unspecified Cross-Site Scripting
09.22.33 - a-News Unspecified Cross-Site Scripting
09.22.34 - DotNetNuke "ErrorPage.aspx" Cross-Site Scripting
09.22.35 - Sun Java System Portal Server Error Page Cross-Site Scripting
-- Web Application - SQL Injection
09.22.36 - Article Directory Script "yad-admin/login.php" SQL Injection
09.22.37 - Flash Quiz Multiple SQL Injection Vulnerabilities
09.22.38 - Your Articles Directory "page.php" SQL Injection
09.22.39 - IPcelerate IPsession Unspecified SQL Injection
09.22.40 - DM FileManager "Username" and "Password" SQL Injection Vulnerabilities
09.22.41 - Joomla! Casino Component "Itemid" Parameter Multiple SQL Injection Vulnerabilities
09.22.42 - Realty Web-Base "list_list.php" Parameter SQL Injection
09.22.43 - Scripts for Sites EZ Pub Site "directory.php" SQL Injection
09.22.44 - 26th Avenue bSpeak
09.22.45 - LxBlog Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
09.22.46 - ZaoCMS "admin/modules/Users/edit_user.php" SQL Injection
09.22.47 - Saman Portal "pageid" Parameter SQL Injection
09.22.48 - Joomla! Boy Scout Advancement "id" Parameter Multiple SQL Injection Vulnerabilities
09.22.49 - vbPlaza "name" Parameter SQL Injection
09.22.50 - phpBugTracker "index.php" SQL Injection
09.22.51 - Graphiks MyForum Login Multiple SQL Injection Vulnerabilities
-- Web Application
09.22.52 - JobScript "mycv.php" Arbitrary File Upload
09.22.53 - ZaoCMS Insecure Cookie Authentication Bypass
09.22.54 - Profense Web Application Firewall Security Bypass Vulnerabilities
09.22.55 - ASP Inline Corporate Calendar Cross Site Scripting and SQL Injection Vulnerabilities
09.22.56 - VICIDIAL Call Center Suite "admin.php" Multiple SQL Injection Vulnerabilities
09.22.57 - VidShare Pro SQL Injection and Cross Site Scripting Vulnerabilities
09.22.58 - DMXReady Registration Manager "assetmanager.asp" Arbitrary File Upload
09.22.59 - NC GBook "index.php" Remote PHP Code Injection
09.22.60 - NC LinkList "index.php" Remote PHP Code Injection
09.22.61 - CGI Rescue WEB Mailer HTTP Header Injection
09.22.62 - Jorp "functions.php" Authentication Bypass
09.22.63 - Drupal Views Bulk Operations Security Bypass
09.22.64 - Tutorial Share Insecure Cookie Authentication Bypass
09.22.65 - ZaoCMS "upload.php" Arbitrary File Upload
09.22.66 - Multiple Mole Group Products "admin.php" Remote Password Change
09.22.67 - Zeeways PHOTOVIDEOTUBE Multiple Remote Vulnerabilities
09.22.68 - Cute Editor for ASP.NET "file" Parameter Directory Traversal
09.22.69 - Basic Analysis And Security Engine Cross Site Scripting And HTML Injection Vulnerabilities
09.22.70 - MiniTwitter SQL Injection and Cross Site Scripting Vulnerabilities
09.22.71 - AMember Multiple Cross Site Scripting And HTML Injection Vulnerabilities
09.22.72 - Dokuwiki "doku.php" Local File Include
09.22.73 - WP-Lytebox "main.php" Local File Include
09.22.74 - cpCommerce "GLOBALS[prefix]" Local/Remote File Include
09.22.75 - RSGallery2 Component for Mambo/Joomla! Backdoor
09.22.76 - ZEECAREERS and SHAADICLONE "admin/addadminmembercode.php" Authentication Bypass
09.22.77 - RoomPHPlanning Multiple Vulnerabilities
-- Network Device
09.22.78 - Multiple ATEN IP KVM Switches Multiple Remote Vulnerabilities and Weakness
______________________________________________________________________
PART I Critical Vulnerabilities
Part I for this issue has been compiled by Rohan Kotian at TippingPoint,
a division of 3Com, as a by-product of that company's continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint's analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/cva/#process
*****************************
Widely Deployed Software
*****************************
(1) CRITICAL: Apple QuickTime PICT Heap Overflow Vulnerability
Affected:
Apple QuickTime version 7.6 and prior
Description: Apple QuickTime, a widely used media player, contains a
heap-based buffer overflow while parsing a malformed .PICT image. The
specific error is caused while parsing a PICT image with a poly tag
0x77. The application, while allocating tag data doesn't use the 16-bit
length properly thus leading to a heap-based buffer overflow condition.
Successful exploitation might lead to arbitrary code execution under the
context of the logged in user. User interaction is required in that the
victim must either visit a malicious site or open a malicious file.
Status: Vendor confirmed, updates available.
References:
Zero Day Initiative
http://www.zerodayinitiative.com/advisories/ZDI-09-021/
Apple Knowledge Base Article
http://support.apple.com/kb/HT3549
Vendor HomePage
http://www.apple.com/macosx/
SecurityFocus BID
http://www.securityfocus.com/bid/34938/
*************************************************************
(2) CRITICAL: BlackBerry Attachment Service PDF distiller Multiple Vulnerabilities
Affected:
BlackBerry Enterprise Server software version 4.1 Service Pack 3 (4.1.3) through 5.0
BlackBerry Professional Software 4.1 Service Pack 4 (4.1.4)
Description: The Research In Motion BlackBerry is a popular mobile
telephone and messaging device. The BlackBerry handheld devices are
integrated with an enterprise's messaging infrastructure through
BlackBerry Enterprise Server. This server software and the professional
software version of BlackBerry have unspecified vulnerabilities in the
BlackBerry Attachment Service, a service used to view different file
formats. The errors are within the PDF distiller component of the
Attachment Service. A specially crafted PDF file opened on BlackBerry
could trigger this vulnerability and cause memory corruption. Successful
exploitation can lead to arbitrary code execution. Note that a user must
first open the PDF on a BlackBerry mobile device for exploitation to
occur. No technical details publicly available.
Status: Vendor confirmed, updates available.
References:
Research In Motion Security Advisories
http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB18327
Wikipedia Article on BlackBerry
http://en.wikipedia.org/wiki/BlackBerry
Vendor HomePage
http://www.blackberry.com
SecurityFocus BID
http://www.securityfocus.com/bid/35102
*************************************************************
(3) HIGH: Novell GroupWise Multiple Vulnerabilities
Affected:
Novell GroupWise 7.0 up to (and including) 7.03 HP2
Novell GroupWise 8.0 up to (and including) 8.0.0 HP1
Description: Novell GroupWise is Novell's enterprise groupware solution.
Novell GroupWise WebAccess and Internet Agent have been identified with
multiple vulnerabilities. The first is a cross-site scripting
vulnerability in GroupWise WebAccess via unfiltered style expressions.
This exploit if successful could be used for arbitrary code injection.
The second vulnerability is in the way GroupWise WebAccess blocks
scripting. Successful exploitation might allow an attacker access to
authenticated user's account. The third issue is caused due to inputs
not being properly sanitized by GroupWise WebAccess. This could allow
an attacker to deface the login page, thereby preventing users from
logging into WebAccess. The fourth vulnerability is an unspecified error
in the way GroupWise Internet Agent handles certain SMTP requests.
Successful exploitation might lead to arbitrary code execution. The
fifth issue is due to vulnerability within the session management
mechanisms in the GroupWise WebAccess. This could potentially allow an
attacker to gain access to an authenticated user's account. The sixth
issue is in the way Novell GroupWise Internet Agent handles certain
email addresses in the SMTP protocol. Successful exploitation might lead
to arbitrary code execution with system privileges. Some technical
details are publicly available.
Status: Vendor confirmed, updates available.
References:
Novell GroupWise Security Advisories
http://www.novell.com/support/viewContent.do?externalId=7003266
http://www.novell.com/support/viewContent.do?externalId=7003267
http://www.novell.com/support/viewContent.do?externalId=7003268
http://www.novell.com/support/viewContent.do?externalId=7003271
http://www.novell.com/support/viewContent.do?externalId=7003272
http://www.novell.com/support/viewContent.do?externalId=7003273
Product HomePage
http://www.novell.com/products/groupwise/
SecurityFocus BID
http://www.securityfocus.com/bid/35061
http://www.securityfocus.com/bid/35064
http://www.securityfocus.com/bid/35065
http://www.securityfocus.com/bid/35066/
*************************************************************
(4) LOW: ImageMagick Integer Overflow Vulnerability
Affected:
ImageMagick 6.5.2-8
Description: ImageMagick is an open software suite of graphics
manipulation utilities for several operating systems. It has an integer
overflow vulnerability while processing a specially crafted malformed
TIFF file. The specific vulnerability is the integer overflow error in
the XMakeImage()" function in xwindow.c. By tricking the user to open a
malicious TIFF file, an attacker might crash the affected application
or execute arbitrary code. Technical details for this vulnerability are
available via source code analysis.
Status: Vendor confirmed, updates available.
References:
Wikipedia article on ImageMagick
http://en.wikipedia.org/wiki/ImageMagick
Vendor HomePage
http://www.imagemagick.org/script/index.php
SecurityFocus BID
http://www.securityfocus.com/bid/35111
*************************************************************
(5) LOW: CiscoWorks Common Services TFTP Directory Traversal Vulnerability
Affected:
Cisco TelePresence Readiness Assessment Manager (CTRAM) 1.0
Cisco CiscoWorks Voice Manager 3.x
Cisco CiscoWorks QoS Policy Manager 4.x
Cisco CiscoWorks LMS 3.0
Cisco CiscoWorks Health and Utilization Monitor 1.x
Cisco CiscoWorks Common Services 3.1.1
Cisco CiscoWorks Common Services 3.0.x
Cisco CiscoWorks Common Services 2.2
Cisco CiscoWorks Common Services 3.x
Cisco Cisco Unified Service Monitor 2.x
Cisco Cisco Unified Service Monitor 1.x
Cisco Cisco Unified Provisioning Manager 1.x
Cisco Cisco Unified Operations Manager (CUOM) 2.0.x
Cisco Cisco Unified Operations Manager (CUOM) 2.x
Cisco Cisco Unified Operations Manager (CUOM) 1.x
Cisco Cisco Security Manager (CSM) 3.2.2
Cisco Cisco Security Manager (CSM) 3.1.1
Cisco Cisco Security Manager (CSM) 3.0.x
Cisco Cisco Security Manager (CSM) 3.x
Cisco CiscoSecure ACS for Windows and Unix 3.0
Cisco CiscoSecure ACS for Windows and Unix 2.6
Cisco CiscoSecure ACS for Windows and Unix 2.5
Description: CiscoWorks Common Services (CS) is a set of management
services used by other CiscoWorks applications to share a common model
for data storage, user access privileges, etc. It has a directory
traversal vulnerability within the TFTP service. This service is enabled
by default. This could allow an attacker to access or modify the
application and host operating system files. Authentication is not
required to carry out this attack.
Status: Vendor has confirmed, updates available.
References:
Cisco Security Advisory
http://www.cisco.com/warp/public/707/cisco-sa-20090520-cw.shtml
Product HomePage
http://www.cisco.com/en/US/products/sw/cscowork/ps3996/
SecurityFocus BID
http://www.securityfocus.com/bid/35040
*************************************************************
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 22, 2009
This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 7041 unique vulnerabilities. For this special
SANS community listing, Qualys also includes vulnerabilities that cannot
be scanned remotely.
______________________________________________________________________
09.22.1 CVE: Not Available
Platform: Third Party Windows Apps
Title: Nullsoft Winamp "gen_ff.dll" Buffer Overflow
Description: Nullsoft Winamp is a media player for Microsoft Windows.
The application is exposed to a buffer overflow issue because it fails
to perform adequate checks on user-supplied input. Specifically, the
issue stems from a type-casting error when parsing a specially crafted
".maki" file in the "gen_ff.dll" library. Winamp versions 5.55 and
earlier are affected.
Ref: http://vrt-sourcefire.blogspot.com/2009/05/winamp-maki-parsing-vu
lnerability.html
______________________________________________________________________
09.22.2 CVE: Not Available
Platform: Third Party Windows Apps
Title: Soulseek Distributed File Search Buffer Overflow
Description: Soulseek is a file-sharing application available for
Microsoft Windows. The application is exposed to a stack-based buffer
overflow issue that occurs because it fails to perform adequate
boundary checks on user-supplied data. Specifically, this issue occurs
when performing a distributed search. Soulseek versions 156 and 157 NS
are affected.
Ref: http://www.securityfocus.com/bid/35091
______________________________________________________________________
09.22.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: SonicWALL Global VPN Client "RampartSvc" Local Privilege
Escalation
Description: SonicWALL Global VPN Client is a VPN solution available
for Microsoft Windows. Global VPN Client is prone to a local privilege
escalation issue. Specifically, the "RampartSvc" service is run from
the "%ProgramFiles%SonicWALLSonicWALL Global VPN Client" folder, which
has global access. Global VPN Client version 4.0.0.835 is affected.
Ref:
https://www.sec-consult.com/files/20090525-3-GVC-privilege-escalation.txt
______________________________________________________________________
09.22.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: SonicWALL Global Security Client Local Privilege Escalation
Description: SonicWALL Global Security Client is a security
application available for Microsoft Windows. The application is
exposed to a local privilege escalation issue because it fails to
properly drop privileges when performing sensitive actions.
Specifically, the system-tray applet runs with SYSTEM-level
privileges. Global Security Client version 1.0.0.15 is affected.
Ref:
https://www.sec-consult.com/files/20090525-2-GSC-privilege-escalation.txt
______________________________________________________________________
09.22.5 CVE: CVE-2009-0588
Platform: Linux
Title: Red Hat Certificate System Agent Group Security Bypass
Description: Red Hat Certificate System (RHCS) is an enterprise-level
Public Key Infrastructure (PKI) deployment manager. RHCS is exposed to
a security bypass issue that occurs when systems are configured to use
multiple agent groups. Specifically, this issue allows an agent group
to approve or reject certificate requests in queues associated with
arbitrary agent groups. RHCS version 7.3 is affected.
Ref: https://rhn.redhat.com/errata/RHSA-2009-1065.html
______________________________________________________________________
09.22.6 CVE: Not Available
Platform: Solaris
Title: Sun Solaris Secure Digital Slot Driver (sdhost(7D)) Local Code
Execution
Description: Sun Solaris Secure Digital Slot Driver (sdhost(7D)) is
prone to a local code execution vulnerability. Specifically, an
attacker with access to the memory card device may corrupt portions of
kernel memory or contents of a memory card. Attackers may be able to
exploit this issue to execute arbitrary code in the context of the
kernel. Successful exploits may completely compromise the vulnerable
system. OpenSolaris based on builds snv_105 through snv_108 on x86
platforms is affected.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-259408-1
______________________________________________________________________
09.22.7 CVE: CVE-2008-3869, CVE-2008-3870
Platform: Solaris
Title: Sun Solaris "sadmind" Daemon Multiple Buffer Overflow
Vulnerabilities
Description: Sun Solaris is exposed to multiple buffer overflow issues
that affect the "sadmind(1M)" daemon. Attackers can leverage these
issues to execute arbitrary code with superuser privileges. Failed
attacks will cause denial of service conditions. Sun Solaris versions
8 and 9 are affected.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-259468-1
______________________________________________________________________
09.22.8 CVE: Not Available
Platform: Aix
Title: IBM AIX "MALLOCDEBUG" File Overwrite
Description: IBM AIX is a UNIX-based operating system. The application
is exposed to a race condition in the MALLOCDEBUG component of the
"libc.a" library. A local attacker can exploit this issue when running
a setuid application to overwrite any file on the system.
Ref: http://www.securityfocus.com/archive/1/503679
______________________________________________________________________
09.22.9 CVE: Not Available
Platform: Novell
Title: Novell GroupWise Internet Agent Email Address Processing Buffer
Overflow
Description: Novell GroupWise is collaboration software available for
a number of platforms, including Linux and Microsoft Windows.
GroupWise includes an Internet Agent process for mail transfer. The
Internet Agent is exposed to a remote buffer overflow issue.
Specifically, this issue stems from a boundary condition error that
occurs when handling email addresses via SMTP.
Ref:
http://www.novell.com/support/viewContent.do?externalId=7003273&sliceId=1
______________________________________________________________________
09.22.10 CVE: Not Available
Platform: Novell
Title: Novell GroupWise Internet Agent SMTP Request Processing Buffer
Overflow
Description: Novell GroupWise is collaboration software available for
a number of platforms, including Linux and Microsoft Windows.
GroupWise includes an Internet Agent process for mail transfer.
The Internet Agent is exposed to a remote buffer overflow issue.
Specifically, this issue stems from a boundary condition error that
occurs when handling certain SMTP requests.
Ref:
http://www.novell.com/support/viewContent.do?externalId=7003272&sliceId=1
______________________________________________________________________
09.22.11 CVE: CVE-2009-1634, CVE-2009-1635
Platform: Novell
Title: Novell GroupWise WebAccess Multiple Security Vulnerabilities
Description: Novell GroupWise WebAccess is a secure mobile option for
GroupWise collaboration software. The application is exposed to
multiple issues. Novell GroupWise WebAccess versions prior to 7.03 HP3
and 8.0.0 HP2 are affected.
Ref:
http://www.novell.com/support/viewContent.do?externalId=7003266&sliceId=1
______________________________________________________________________
09.22.12 CVE: CVE-2009-1161
Platform: Cross Platform
Title: CiscoWorks Common Services TFTP Server Directory Traversal
Description: CiscoWorks Common Services is a component of the
CiscoWorks network management product. The Trivial File Transfer
Protocol (TFTP) server included with CiscoWorks Common Services is
exposed to a directory traversal issue because it fails to
sufficiently sanitize user-supplied input in TFTP requests. CiscoWorks
Common Services versions 3.0.x, 3.1.x and 3.2.x running on Microsoft
Windows are affected.
Ref: http://www.securityfocus.com/archive/1/503643
______________________________________________________________________
09.22.13 CVE: Not Available
Platform: Cross Platform
Title: Drupal Email Verification Module Cross-Site Scripting and
Information Disclosure Vulnerabilities
Description: Drupal Email Verification verifies user emails by talking
to the appropriate SMTP host. The application is exposed to multiple
cross-site scripting issues that affect the "username" and "email
address" parameters; and an information disclosure issue that allows
attackers to view the list of unconfirmed email addresses. Email
Verification versions 5.x-1.x prior to 5.x-2.1 and 6.x prior to 6.x-1.2
are affected.
Ref: http://drupal.org/node/468452
______________________________________________________________________
09.22.14 CVE: CVE-2009-1376, CVE-2009-1375, CVE-2009-1374,
CVE-2009-1373
Platform: Cross Platform
Title: Pidgin Multiple Buffer Overflow Vulnerabilities
Description: Pidgin is a multiplatform instant-messaging client that
supports multiple messaging protocols. Pidgin is exposed to multiple
buffer overflow issues because it fails to perform adequate boundary
checks on user-supplied data. Pidgin versions prior to 2.5.6 are
affected.
Ref: http://www.pidgin.im/news/security/?id=29
______________________________________________________________________
09.22.15 CVE: Not Available
Platform: Cross Platform
Title: Multiple Panda Products TAR/CAB Files Scan Evasion
Description: Panda develops antivirus products. Multiple Panda
products are exposed to an issue that may allow certain compressed
archives to bypass the scan engine. The vulnerability occurs because
the software fails to properly inspect specially crafted "TAR" and
"CAB" archive files.
Ref:
http://www.pandasecurity.com/homeusers/support/card?id=70025&idIdioma=2
______________________________________________________________________
09.22.16 CVE: Not Available
Platform: Cross Platform
Title: Serena Dimensions CM SSL Certificate Signature Verification
Description: Serena Dimensions CM is a software development tool. The
Dimensions CM Client is exposed to a signature verification issue.
Specifically, the client fails to properly verify signatures when
communications are encrypted using SSL. This allows an arbitrary,
signed signature to be accepted by the client. Serena Dimensions CM
version 10.1 is affected.
Ref: http://www.securityfocus.com/archive/1/503730
______________________________________________________________________
09.22.17 CVE: CVE-2009-1476
Platform: Cross Platform
Title: IPFilter "ippool" "lib/load_http.c" Local Buffer Overflow
Description: IPFilter is a firewall and network address translation
(NAT) implementation for BSD, Linux, and Unix operating systems.
IPFilter is exposed to a local buffer overflow issue because it fails
to adequately bounds check user-supplied input. The issue occurs in
the "lib/load_http.c" source file and can be triggered with
excessively long input to URIs handled by the "load_http()" function.
This function is used by the "ippool" application. IPFilter version
4.1.31 is affected.
Ref:
http://cvsweb.netbsd.org/bsdweb.cgi/src/dist/ipf/lib/load_http.c?rev=1.2&content-type=text/x-cvsweb-markup&only_with_tag=MAIN
______________________________________________________________________
09.22.18 CVE: Not Available
Platform: Cross Platform
Title: Wireshark PCNFSD Dissector Denial of Service
Description: Wireshark (formerly Ethereal) is an application for
analyzing network traffic; it is available for Microsoft Windows and
UNIX-like operating systems. Wireshark is exposed to a denial of
service issue that affects the "PCNFSD" dissector. Wireshark versions
0.8.20 through 1.0.7 are affected.
Ref: http://www.wireshark.org/security/wnpa-sec-2009-03.html
______________________________________________________________________
09.22.19 CVE: CVE-2009-1754
Platform: Cross Platform
Title: Open Handset Alliance Android Signature Validation Local
Privilege Escalation
Description: Open Handset Alliance Android (previously Google Android)
is a software stack and operating system for mobile phones. Android
allows multiple applications to share a uid (user ID) when they are
signed by the same vendor and request to do so when installed. Android
is exposed to a privilege escalation issue due to a failure to
properly enforce restrictions on this behavior. Android versions 1.5
CRB17 through 1.5 CRB42 are affected.
Ref: http://www.ocert.org/advisories/ocert-2009-006.html
______________________________________________________________________
09.22.20 CVE: Not Available
Platform: Cross Platform
Title: SonicWALL Global VPN Client Log File Remote Format String
Description: SonicWALL Global VPN Client provides virtual private
networking for mobile users. The application is exposed to a remote
format string issue because it fails to properly sanitize
user-supplied input before passing it as the format specifier to a
formatted printing function. This issue occurs in an unspecified
function that handles logfile parsing. Global VPN Client version
4.0.0.2-51e Standard and Enhanced are affected.
Ref: http://www.securityfocus.com/archive/1/503833
______________________________________________________________________
09.22.21 CVE: Not Available
Platform: Cross Platform
Title: Lighttpd Trailing Slash Information Disclosure
Description: Lighttpd is a freely available webserver application.
Lighttpd is exposed to an information disclosure issue that occurs
when an attacker specifies a file followed by a trailing slash ("").
The attacker can exploit this issue to obtain sensitive information
that may lead to further attacks. Lighttpd version 1.4.23 is affected.
Ref: http://redmine.lighttpd.net/issues/1989
______________________________________________________________________
09.22.22 CVE: Not Available
Platform: Cross Platform
Title: Multiple ArcaBit ArcaVir Products Multiple IOCTL Request Local
Privilege Escalation Vulnerabilities
Description: ArcaBit ArcaVir are security products for Microsoft
Windows platforms. The applications are exposed to multiple local
privilege escalation issues because the "ps_drv.sys" driver fails to
properly validate user-space input before writing it to the
"Deviceps_drv" device.
Ref: http://ntinternals.org/ntiadv0814/ntiadv0814.html
______________________________________________________________________
09.22.23 CVE: Not Available
Platform: Cross Platform
Title: BlackBerry Attachment Service PDF Distiller Multiple
Unspecified Security Vulnerabilities
Description: BlackBerry Attachment Service is a component of
BlackBerry Enterprise Server and BlackBerry Professional Software; it
is used to process email attachments. BlackBerry Attachment Service is
exposed to multiple remote code execution issues that occur when the
service's PDF distiller tries to process specially crafted PDF files.
Ref:
http://www.blackberry.com/btsc/dynamickc.do?externalId=KB18327&sliceID=1&command=show&forward=nonthreadedKC&kcId=KB18327
______________________________________________________________________
09.22.24 CVE: Not Available
Platform: Cross Platform
Title: ImageMagick TIFF File Integer Overflow
Description: ImageMagick is an image-editing suite that includes a
library and command-line utilities supporting numerous image formats,
including TIFF. It is available for various platforms, including
Microsoft Windows, UNIX, and UNIX-like operating systems. ImageMagick
is exposed to an integer overflow issue because it fails to perform
adequate boundary checks on user-supplied data. The vulnerability
occurs when handling malformed TIFF files. ImageMagick version 6.5.2-8
is affected.
Ref: http://mirror1.smudge-it.co.uk/imagemagick/www/changelog.html
______________________________________________________________________
09.22.25 CVE: CVE-2009-1635
Platform: Web Application - Cross Site Scripting
Title: Novell GroupWise WebAccess "gw/webacc" Multiple Cross-Site
Scripting Vulnerabilities
Description: Novell GroupWise WebAccess is a secure mobile option for
GroupWise collaboration software. The application is exposed to
multiple cross-site scripting issues because it fails to sufficiently
sanitize user-supplied input.
Ref: http://www.securityfocus.com/archive/1/503700
______________________________________________________________________
09.22.26 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Steam "steam://" Cross-Site Scripting
Description: Steam is a gaming application. The application is exposed
to a cross-site scripting vulnerability because it fails to sanitize
user-supplied input. Specifically, the issue occurs when a malicious
request is sent through the "steam://" protocol.
Ref: http://www.securityfocus.com/bid/35036
______________________________________________________________________
09.22.27 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: IPplan "grp" Parameter Cross-Site Scripting
Description: IPplan is an open-source IP address management and
planning web application. It is programmed in PHP, and stores its
information in an SQL database. The application is exposed to a
cross-site scripting issue because it fails to sanitize user-supplied
input. Specifically, the issue affects the "grp" parameter in the
"admin/usermanager" page. IPplan version 4.91a is affected.
Ref: http://holisticinfosec.org/content/view/113/45/
______________________________________________________________________
09.22.28 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Kingsoft WebShield Cross-Site scripting and Remote Command
Execution
Description: Kingsoft WebShield is an application that protects a
user's browser against malware. The application is exposed to a remote
cross-site scripting and command execution issue because it fails to
properly filter HTML tags from URIs. WebShield versions 1.1.0.62 and
earlier are affected.
Ref: http://www.securityfocus.com/bid/35038
______________________________________________________________________
09.22.29 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Catviz Multiple Local File Include and Cross-Site Scripting
Vulnerabilities
Description: Catviz is a web-based content manager. The application is
exposed to multiple issues because it fails to properly sanitize
user-supplied input. The attacker may leverage a cross-site scripting
issue to execute arbitrary script code in the browser of an
unsuspecting user in the context of the affected site. Catviz version
0.4 beta 1 is affected.
Ref: http://www.securityfocus.com/bid/35042
______________________________________________________________________
09.22.30 CVE: CVE-2009-1729
Platform: Web Application - Cross Site Scripting
Title: Sun Java System Communications Express "search.xml" Cross-Site
Scripting
Description: Sun Java System Communications Express is a web-based
client for the Sun Java Communications Suite. The application is
exposed to a cross-site scripting issue because it fails to
sufficiently sanitize user-supplied input. This issue affects the
"abperson_displayName" parameter of the "search.xml" script. Sun Java
System Communications Express 6.3 for Sun Java Communications Suite 5
and 6 and Sun Java System Communications Express 6 2005Q4 (6.2) are
affected.
Ref: http://www.securityfocus.com/archive/1/503675
______________________________________________________________________
09.22.31 CVE: CVE-2009-1729
Platform: Web Application - Cross Site Scripting
Title: Sun Java System Communications Express "UWCMain" Cross-Site
Scripting
Description: Sun Java System Communications Express is a web-based
client for the Sun Java Communications Suite. The application is
exposed to a cross-site scripting issue because it fails to
sufficiently sanitize user-supplied input. This issue affects the
"temporaryCalendars" parameter of the "UWCMain" script. Sun Java
System Communications Express 6.3 for Sun Java Communications Suite 5
and 6 and Sun Java System Communications Express 6 2005Q4 (6.2) are
affected.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-258068-1
______________________________________________________________________
09.22.32 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Web Conference Room Free Unspecified Cross-Site Scripting
Description: Web Conference Room Free is a web-based conferencing
application. The application is exposed to an unspecified cross-site
scripting issue because it fails to sanitize user-supplied input. Web
Conference Room Free versions prior to 1.6.4 are affected.
Ref: http://www.securityfocus.com/bid/35068
______________________________________________________________________
09.22.33 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: a-News Unspecified Cross-Site Scripting
Description: a-News is a web-based application used to post news
items. The application is exposed to an unspecified cross-site
scripting issue because it fails to sanitize user-supplied input.
a-News version 2.32 is affected.
Ref: http://www.securityfocus.com/bid/35070
______________________________________________________________________
09.22.34 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: DotNetNuke "ErrorPage.aspx" Cross-Site Scripting
Description: DotNetNuke is an open-source framework used to create and
deploy websites. The application is exposed to a cross-site scripting
issue because it fails to properly sanitize user-supplied input to
the "error" parameter of the "ErrorPage.aspx" script. DotNetNuke
versions prior to 4.9.4 are affected.
Ref: http://www.securityfocus.com/archive/1/503723
______________________________________________________________________
09.22.35 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Sun Java System Portal Server Error Page Cross-Site Scripting
Description: Sun Java System Portal Server is a Java-based framework
for developing web applications. The application is exposed to a
cross-site scripting issue because it fails to sufficiently sanitize
user-supplied input. This issue exists in one of the error pages. Sun
Java System Portal Server versions 6.3.1, 7.1 and 7.2 are affected.
Ref: http://www.securityfocus.com/bid/35079
______________________________________________________________________
09.22.36 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Article Directory Script "yad-admin/login.php" SQL Injection
Description: Article Directory Script is a PHP-based content
management application. The application is exposed to an SQL injection
issue because it fails to sufficiently sanitize user-supplied data to
the "User Name" textbox when logging in as an administrator via the
"yad-admin/login.php" script.
Ref: http://www.securityfocus.com/bid/35059
______________________________________________________________________
09.22.37 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Flash Quiz Multiple SQL Injection Vulnerabilities
Description: Flash Quiz is a PHP-based quiz application. Flash Quiz is
exposed to multiple SQL injection issues because it fails to
sufficiently sanitize user-supplied data. Flash Quiz Beta version 2 is
affected.
Ref: http://www.securityfocus.com/bid/35060
______________________________________________________________________
09.22.38 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Your Articles Directory "page.php" SQL Injection
Description: Your Articles Directory is a PHP-based content manager.
The application is exposed to an SQL injection issue because it fails
to sufficiently sanitize user-supplied data to the "id" parameter of
the "page.php" script.
Ref: http://www.securityfocus.com/bid/35062
______________________________________________________________________
09.22.39 CVE: Not Available
Platform: Web Application - SQL Injection
Title: IPcelerate IPsession Unspecified SQL Injection
Description: IPcelerate IPsession is an IP telephony device; the
device has a web-based management interface listening on TCP port
8090. The device's web-based interface is exposed to an SQL injection
issue because it fails to sufficiently sanitize user-supplied data
before using it in an SQL query to unspecified scripts and parameters
used in the authentication process.
Ref: http://www.securityfocus.com/archive/1/503686
______________________________________________________________________
09.22.40 CVE: Not Available
Platform: Web Application - SQL Injection
Title: DM FileManager "Username" and "Password" SQL Injection
Vulnerabilities
Description: DM FileManager is a web-based file management tool. The
application is exposed to multiple SQL injection issues because it
fails to sufficiently sanitize user-supplied data to the "Username"
and "Password" fields in the admin login page before using it in an
SQL query. DM FileManager version 3.9.2 is affected.
Ref: http://www.securityfocus.com/bid/35035
______________________________________________________________________
09.22.41 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Joomla! Casino Component "Itemid" Parameter Multiple SQL
Injection Vulnerabilities
Description: Casino is a gambling component for the Joomla! content
manager. The application is exposed to multiple SQL injection issues
because it fails to sufficiently sanitize user-supplied data to the
"Itemid" parameter. Casino version 0.3.1 is affected.
Ref: http://www.securityfocus.com/bid/35041
______________________________________________________________________
09.22.42 CVE: CVE-2009-1751
Platform: Web Application - SQL Injection
Title: Realty Web-Base "list_list.php" Parameter SQL Injection
Description: Realty Web-Base is a content manager application. The
module is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data to the "id" parameter of the
"list_list.php" script before using it an SQL query. Realty Web-Base
version 1.0 is affected.
Ref: http://www.securityfocus.com/bid/35043
______________________________________________________________________
09.22.43 CVE: CVE-2008-6794
Platform: Web Application - SQL Injection
Title: Scripts for Sites EZ Pub Site "directory.php" SQL Injection
Description: Scripts for Sites EZ Pub Site is a web-based application.
The application is exposed to an SQL injection issue because it fails
to sufficiently sanitize user-supplied data to the "cat" parameter of
the "directory.php" script before using it in an SQL query.
Ref: http://www.securityfocus.com/bid/35046
______________________________________________________________________
09.22.44 CVE: Not Available
Platform: Web Application - SQL Injection
Title: 26th Avenue bSpeak
Description: 26th Avenue bSpeak is a threaded message board. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data to the "forumid" parameter of
the "forum/index.php' script before using it in an SQL query. 26th
Avenue bSpeak version 1.10 is affected.
Ref: http://www.securityfocus.com/bid/35049
______________________________________________________________________
09.22.45 CVE: Not Available
Platform: Web Application - SQL Injection
Title: LxBlog Multiple Cross-Site Scripting and SQL Injection
Vulnerabilities
Description: LxBlog is a PHP-based blogging application. The
application is exposed to multiple issues, because it fails to
adequately sanitize user-supplied input. Exploiting these issues could
allow an attacker to steal cookie-based authentication credentials,
compromise the application, access or modify data, or exploit latent
vulnerabilities in the underlying database.
Ref: http://www.securityfocus.com/bid/35071
______________________________________________________________________
09.22.46 CVE: Not Available
Platform: Web Application - SQL Injection
Title: ZaoCMS "admin/modules/Users/edit_user.php" SQL Injection
Description: ZaoCMS is a PHP-based content manager. The application is
exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied data to the "user_id" parameter of the
"admin/modules/Users/edit_user.php" script.
Ref: http://www.securityfocus.com/bid/35077
______________________________________________________________________
09.22.47 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Saman Portal "pageid" Parameter SQL Injection
Description: Saman Portal is a web-based application. The application
is exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied data to the "pageid" parameter of the
"index.php" script.
Ref: http://www.securityfocus.com/bid/35084
______________________________________________________________________
09.22.48 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Joomla! Boy Scout Advancement "id" Parameter Multiple SQL
Injection Vulnerabilities
Description: Boy Scout Advancement (BSAdv) is a scout component for
the Joomla! content manager. The component is exposed to multiple SQL
injection issues because it fails to sufficiently sanitize
user-supplied data to the "id" parameter when the "task" parameter is
set to the following: "event" and "account". Boy Scout Advancement
version 0.3 is affected.
Ref: http://www.securityfocus.com/archive/1/503794
______________________________________________________________________
09.22.49 CVE: Not Available
Platform: Web Application - SQL Injection
Title: vbPlaza "name" Parameter SQL Injection
Description: vbPlaza is a forum module for vBulletin. The application
is exposed to an SQL injection issue because it fails to properly
sanitize user-supplied input to the "name" parameter of the
"vbplaza.php" script before using it in an SQL query.
Ref: http://www.securityfocus.com/bid/35099
______________________________________________________________________
09.22.50 CVE: Not Available
Platform: Web Application - SQL Injection
Title: phpBugTracker "index.php" SQL Injection
Description: phpBugTracker is an incident management system.
phpBugTracker is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data to the "password" parameter
of the "index.php" script before using it an SQL query. phpBugTracker
version 1.0.3 is affected.
Ref: http://www.securityfocus.com/bid/35101
______________________________________________________________________
09.22.51 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Graphiks MyForum Login Multiple SQL Injection Vulnerabilities
Description: Graphiks MyForum is a web-based application. The
application is exposed to multiple SQL injection issues because it
fails to adequately sanitize user-supplied input to the "Username" and
"Password" fields of the login script. MyForum version 1.3 is
affected.
Ref: http://www.securityfocus.com/bid/35096
______________________________________________________________________
09.22.52 CVE: Not Available
Platform: Web Application
Title: JobScript "mycv.php" Arbitrary File Upload
Description: JobScript is a PHP-based job board. The application is
exposed to an issue that lets attackers upload arbitrary files. The
issue occurs because the application fails to adequately validate
user-supplied input before uploading files via the "mycv.php" script.
JobScript version 2.0 is affected.
Ref: http://www.securityfocus.com/bid/35058
______________________________________________________________________
09.22.53 CVE: Not Available
Platform: Web Application
Title: ZaoCMS Insecure Cookie Authentication Bypass
Description: ZaoCMS is a web application. The application is exposed
to an authentication bypass issue because it fails to adequately
verify user-supplied input used for cookie-based authentication.
Specifically, attackers can gain administrative access to the
application by setting the "admin" cookie parameter to "stgAdmin" and
the "path" parameter to "/" via the "admin/login.php" script.
Ref: http://www.securityfocus.com/bid/35063
______________________________________________________________________
09.22.54 CVE: CVE-2009-1594, CVE-2009-1593
Platform: Web Application
Title: Profense Web Application Firewall Security Bypass
Vulnerabilities
Description: Profense is a web application firewall. Profense is
exposed to multiple remote issues. An attacker can exploit these
issues to bypass certain security restrictions and perform various
web-application attacks. Profense versions prior to 2.4.4 and 2.2.22
are affected.
Ref: http://www.securityfocus.com/archive/1/503649
______________________________________________________________________
09.22.55 CVE: Not Available
Platform: Web Application
Title: ASP Inline Corporate Calendar Cross-Site Scripting and SQL
Injection Vulnerabilities
Description: ASP Inline Corporate Calendar is an ASP-based calendar
application. The application is exposed to multiple issues because it
fails to adequately sanitize user-supplied input. Exploiting these
issues could allow an attacker to steal cookie-based authentication
credentials, compromise the application, access or modify data, or
exploit latent vulnerabilities in the underlying database.
Ref: http://www.securityfocus.com/bid/35054
______________________________________________________________________
09.22.56 CVE: Not Available
Platform: Web Application
Title: VICIDIAL Call Center Suite "admin.php" Multiple SQL Injection
Vulnerabilities
Description: VICIDIAL Call Center Suite is an application for managing
Asterisk PBX telephony implementations. The application is prone to
multiple SQL injection issues because it fails to sufficiently
sanitize user-supplied data to the "Username" and "Password" textboxes
when logging in to the application through the "admin.php" script.
VICIDIAL Call Center Suite version 2.0.5-173 is affected.
Ref: http://www.securityfocus.com/bid/35056
______________________________________________________________________
09.22.57 CVE: CVE-2009-1734
Platform: Web Application
Title: VidShare Pro SQL Injection and Cross-Site Scripting
Vulnerabilities
Description: VidShare Pro is a PHP-based web application. The
application is exposed to multiple issues because it fails to
sufficiently sanitize user-supplied data. Exploiting these issues
could allow an attacker to steal cookie-based authentication
credentials, compromise the application, access or modify data, or
exploit latent vulnerabilities in the underlying database.
Ref: http://www.securityfocus.com/bid/35033
______________________________________________________________________
09.22.58 CVE: Not Available
Platform: Web Application
Title: DMXReady Registration Manager "assetmanager.asp" Arbitrary File
Upload
Description: DMXReady Registration Manager is a web-site registration
application implemented in ASP. The application is exposed to an issue
that lets attackers upload arbitrary files. The problem occurs because
the "assetmanager.asp" script fails to restrict the types or
extensions of files uploaded to the server. DMXReady Registration
Manager version 1.1 is affected.
Ref: http://www.securityfocus.com/bid/35039
______________________________________________________________________
09.22.59 CVE: Not Available
Platform: Web Application
Title: NC GBook "index.php" Remote PHP Code Injection
Description: NC GBook is a PHP-based guestbook application. The
application is exposed to an issue that attackers can leverage to
execute arbitrary PHP code in the context of the application. This
issue occurs because the application fails to sufficiently sanitize
input supplied via the "Autor", "E-Mail", and "Homepage" fields when a
new guestbook entry is added via the "index.php" script. NC GBook
version 1.0 is affected.
Ref: http://www.securityfocus.com/bid/35044
______________________________________________________________________
09.22.60 CVE: Not Available
Platform: Web Application
Title: NC LinkList "index.php" Remote PHP Code Injection
Description: NC LinkList is a PHP-based web application. The
application is exposed to an issue that attackers can leverage to
execute arbitrary PHP code in the context of the application. This
issue occurs because the application fails to sufficiently sanitize
input supplied via the "Ihr Name" field when a new link comment is
added via the "index.php" script. NC LinkList version 1.3.1 is
affected.
Ref: http://www.securityfocus.com/bid/35045
______________________________________________________________________
09.22.61 CVE: CVE-2009-1591
Platform: Web Application
Title: CGI Rescue WEB Mailer HTTP Header Injection
Description: CGI Rescue WEB Mailer is a web application. The
application is exposed to an issue that allows attackers to inject
arbitrary HTTP headers because it fails to sanitize input. This issue
is caused by a failure to handle carriage return and line feed
characters in unspecified fields. WEB Mailer versions prior to 1.04
are affected.
Ref: http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000024.html
______________________________________________________________________
09.22.62 CVE: Not Available
Platform: Web Application
Title: Jorp "functions.php" Authentication Bypass
Description: Jorp is a web-based project management application. The
application is exposed to an authentication bypass issue because it
fails to perform adequate authentication checks. Specifically, an
attacker may delete arbitrary projects or tasks. This issue affects
the "y" parameter of the "functions.php" script. Jorp version
1.3.05.09 is affected.
Ref: http://www.securityfocus.com/archive/1/503678
______________________________________________________________________
09.22.63 CVE: Not Available
Platform: Web Application
Title: Drupal Views Bulk Operations Security Bypass
Description: "Views bulk operations" is a third-party plugin module
for the Drupal content manager. The module performs bulk updates of
nodes. The module is exposed to a security bypass issue that may allow
attackers to perform certain actions on specific nodes or classes of
nodes without proper authorization. "Views bulk operations" versions
prior to 5.x-1.4 and 6.x-1.7 are affected.
Ref: http://drupal.org/node/468450
______________________________________________________________________
09.22.64 CVE: Not Available
Platform: Web Application
Title: Tutorial Share Insecure Cookie Authentication Bypass
Description: Tutorial Share is a web application implemented in PHP.
The application is exposed to an authentication bypass issue because
it fails to adequately verify user-supplied input used for
cookie-based authentication. Specifically, attackers can gain
administrative access to the application by setting the "usernamed"
cookie parameter to an administrator's username and the "path"
parameter to "/" via the "admin/index.php" script. Tutorial Share
version 3.4 is affected.
Ref: http://www.securityfocus.com/bid/35075
______________________________________________________________________
09.22.65 CVE: Not Available
Platform: Web Application
Title: ZaoCMS "upload.php" Arbitrary File Upload
Description: ZaoCMS is a PHP-based content manager. The application is
exposed to an issue that lets attackers upload arbitrary files. The
issue occurs because the application fails to adequately validate
user-supplied input before uploading files via the "upload.php"
script.
Ref: http://www.securityfocus.com/bid/35078
______________________________________________________________________
09.22.66 CVE: Not Available
Platform: Web Application
Title: Multiple Mole Group Products "admin.php" Remote Password Change
Description: Mole Group provides several web-based PHP applications.
Multiple Mole Group products are exposed to an issue that may permit
attackers to change the password of arbitrary administrator users. An
attacker may exploit this issue by submitting an HTTP POST request
containing malicious data to the "admin/admin.php" script.
Ref: http://www.securityfocus.com/bid/35079
______________________________________________________________________
09.22.67 CVE: Not Available
Platform: Web Application
Title: Zeeways PHOTOVIDEOTUBE Multiple Remote Vulnerabilities
Description: Zeeways PHOTOVIDEOTUBE is a PHP-based web application.
The application is exposed to multiple remote issues. The attacker can
exploit these issues to upload and execute arbitrary script code on an
affected computer with the privileges of the webserver process, gain
unauthorized access to the affected application, or execute arbitrary
HTML or JavaScript code within the context of the affected site.
Zeeways PHOTOVIDEOTUBE version 1.1 is affected.
Ref: http://www.securityfocus.com/bid/35080
______________________________________________________________________
09.22.68 CVE: Not Available
Platform: Web Application
Title: Cute Editor for ASP.NET "file" Parameter Directory Traversal
Description: Cute Editor for ASP.NET is a WYSIWYG browser-based online
HTML editor. The application is exposed to a directory traversal issue
because it fails to sufficiently sanitize user-supplied input to the
"file" parameter of the "Load.ashx" script. A remote attacker could
exploit the vulnerability using directory-traversal characters ("../")
to access arbitrary files that contain sensitive information that
could aid in further attacks.
Ref: http://www.securityfocus.com/bid/35085
______________________________________________________________________
09.22.69 CVE: Not Available
Platform: Web Application
Title: Basic Analysis And Security Engine Cross-Site Scripting and
HTML Injection Vulnerabilities
Description: Basic Analysis And Security Engine (BASE) provides a web
front-end to query and analyze alerts coming from a SNORT IDS system.
BASE is exposed to multiple cross-site scripting and HTML injection
issues because it fails to sufficiently sanitize user-supplied data.
These issues affect the "base_ag_main.php" and "base_qry_main.php"
scripts. BASE version 1.4.2 is affected.
Ref: http://base.secureideas.net/
______________________________________________________________________
09.22.70 CVE: Not Available
Platform: Web Application
Title: MiniTwitter SQL Injection and Cross-Site Scripting
Vulnerabilities
Description: MiniTwitter is a PHP-based application. The application
is exposed to multiple security issues. Exploiting these issues could
allow an attacker to steal cookie-based authentication credentials,
compromise the application, access or modify data, or exploit latent
vulnerabilities in the underlying database. MiniTwitter version 0.3
Beta is affected.
Ref: http://www.securityfocus.com/archive/1/503775
______________________________________________________________________
09.22.71 CVE: Not Available
Platform: Web Application
Title: AMember Multiple Cross-Site Scripting and HTML Injection
Vulnerabilities
Description: AMember is a PHP application that manages membership and
subscription for a web site. AMember is exposed to multiple input
validation issues. Attacker-supplied HTML or JavaScript code could run
in the context of the affected site, potentially allowing the attacker
to steal cookie-based authentication credentials and to control how
the site is rendered to the user; other attacks are also possible.
AMember version 3.1.7 is affected.
Ref: http://www.securityfocus.com/archive/1/503776
______________________________________________________________________
09.22.72 CVE: Not Available
Platform: Web Application
Title: Dokuwiki "doku.php" Local File Include
Description: Dokuwiki is a PHP-based wiki application. The application
is exposed to a local file include issue because it fails to properly
sanitize user-supplied input to the "config_cascade[main][default][]"
parameter of the "doku.php" script. Dokuwiki versions 2009-02-14,
rc2009-02-06, and rc2009-01-30 are affected.
Ref: http://www.securityfocus.com/bid/35095
______________________________________________________________________
09.22.73 CVE: Not Available
Platform: Web Application
Title: WP-Lytebox "main.php" Local File Include
Description: WP-Lytebox is a PHP-based plugin for the WordPress weblog
application. The application is exposed to a local file include issue
because it fails to properly sanitize user-supplied input to the "pg"
parameter of the "main.php" script. WP-Lytebox version 1.3 is
affected.
Ref: http://www.securityfocus.com/bid/35098
______________________________________________________________________
09.22.74 CVE: Not Available
Platform: Web Application
Title: cpCommerce "GLOBALS[prefix]" Local/Remote File Include
Description: cpCommerce is a web-based e-commerce application. The
application is exposed to a local/remote file include issue because it
fails to sufficiently sanitize user-supplied input to the
"GLOBALS[prefix]" parameter of the "_functions.php" script. cpCommerce
versions in the 1.2.x branch are affected.
Ref: http://www.securityfocus.com/bid/35103
______________________________________________________________________
09.22.75 CVE: Not Available
Platform: Web Application
Title: RSGallery2 Component for Mambo/Joomla! Backdoor
Description: RSGallery2 is a gallery component for the Mambo/Joomla!
content managers. RSGallery2 is exposed to a backdoor issue. The
backdoor resides in the "includes/rsgallery.class.php" and
"language/english-utf8.php" scripts. The scripts contain "eval()",
"execute()", and "shell_exec()" function calls with a user-supplied
"POST" argument. RSGallery2 versions 1.14.3 and 2.0.0b1 are affected.
Ref: http://www.securityfocus.com/archive/1/503824
______________________________________________________________________
09.22.76 CVE: Not Available
Platform: Web Application
Title: ZEECAREERS and SHAADICLONE "admin/addadminmembercode.php"
Authentication Bypass
Description: Zeeways ZEECAREERS and SHAADICLONE are web-based
applications. The applications are exposed to an authentication bypass
issue. Specifically, the application fails to restrict access to the
"admin/addadminmembercode.php" script. SHAADICLONE and ZEECAREERS
version 2.0 is affected.
Ref: http://www.securityfocus.com/bid/35107
______________________________________________________________________
09.22.77 CVE: Not Available
Platform: Web Application
Title: RoomPHPlanning Multiple Vulnerabilities
Description: RoomPHPlanning is a PHP-based reservations application.
The application is exposed to multiple issues. RoomPHPlanning version
1.6 is affected.
Ref: http://www.securityfocus.com/bid/35110
______________________________________________________________________
09.22.78 CVE: CVE-2009-1474, CVE-2009-1473, CVE-2009-1472,
CVE-2009-1477
Platform: Network Device
Title: Multiple ATEN IP KVM Switches Multiple Remote Vulnerabilities
and Weakness
Description: Multiple ATEN IP KVM switches are exposed to multiple
remote issues Attackers can exploit these issues to execute Java code,
compromise and gain unauthorized access to the affected device
connected to the KVM, gain access to the session key, and gain access
to the session ID. Other attacks are also possible.
Ref: http://www.securityfocus.com/archive/1/503827
______________________________________________________________________
(c) 2009. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a
party other than Qualys (as indicated herein) and permission to use
such material must be requested from the copyright owner.
Subscriptions: RISK is distributed free of charge by the SANS Institute
to people responsible for managing and securing information systems and
networks. You may forward this newsletter to others with such
responsibility inside or outside your organization.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkofCt8ACgkQ+LUG5KFpTka5XQCghLTnlq9XYqVK/oO30+ADVyd8
KRgAn37qgAPieNArkYtNsyIbTLQjtLzh
=Gfcx
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]